Library

Governing for Security: Protect Stakeholder Interests

NEWS AT SEI

Author

Julia H. Allen

This article was originally published in News at SEI on: April 1, 2005

Leaders must protect stakeholder interests in a visible and accountable manner as part of responsible enterprise security governance. In this discussion, "enterprise" includes the extended or virtual enterprise comprising all of those entities with electronic access to an organization's networks.

Why is This Important?

According to the Corporate Governance Task Force, "Today's economic environment demands that enterprises in both the public and private sectors reach beyond traditional boundaries. Citizens, customers, educators, suppliers, investors, and other partners are all demanding better custodianship of their information and more access to strategic resources. As enterprises rise to meet this demand, traditional boundaries are disappearing and the premium on information security is rising. Heightened concerns about critical infrastructure protection and national homeland security are accelerating this trend" [CGTF 04].

Failure to protect stakeholder interests with respect to certain categories of information or failure to prevent unauthorized access to personal information may have serious legal consequences. An enterprise-wide approach to security governance can help an organization maintain compliance with new and expanding laws and regulations and avoid legal liability related to statutory or common law.

These laws have all provided regulatory incentives for C-level executives and boards of directors to pay closer attention to the subject of information security and thus information-security—or more broadly enterprise-security—governance. The U.S. Sarbanes-Oxley Act, more than any other current legislation, has had the greatest influence on security governance. This is because the statute makes leaders of public corporations responsible for establishing and maintaining adequate internal controls. A similar security effect derives from both state and international law. The California Database Protection Act (CA SB 1386; notification of personal security-information breaches) and European Union directives on data protection and privacy and electronic communications are affecting multi-state and multinational organizations [CRS 05].

Stakeholders: Stakeholders may include shareholders, investors, rating agencies, partners, suppliers, vendors, customers, employees, consultants, governments (local, state, national), surrounding communities, citizens, and communities of interest such as certifying bodies and professional associations. As defined by the U.S. General Accounting Office, a stakeholder is "an individual or group with an interest in the success of an organization in delivering intended results and maintaining the viability of the organization's products and services. Stakeholders influence programs, products, and services."1 Stakeholders have some kind of involvement in the organization which could be an investment, share, concern, right, title or responsibility.

Stakeholder Interests: From an enterprise security perspective, stakeholder interests are likely to include

accurate reporting on the effectiveness and productivity of the enterprise

creation, preservation, and enhancement of the organization's reputation

availability and reliability of services (business resilience)

demonstrated due diligence with respect to protecting against malicious attacks (internal and external) and accidents that can be anticipated

ensuring of only authorized access to enterprise information

protecting the privacy of stakeholder information

Protecting stakeholder interests includes being a responsible citizen when connecting enterprise networks to the global internet. The IIA states "In the modern world, everything business or government does with their information technology becomes part of the global information infrastructure. We must build infrastructure to a very high standard. Attaching weak components to the infrastructure puts your organization as well as your neighbors at risk. Responsible citizens will contribute only sound components to that cooperative infrastructure." [IIA 00]

Stakeholder interests are most effectively protected by selecting a broad set of enterprise security principles, interpreting and tailoring these for the enterprise, and ensuring their use and enforcement in the normal course of business. These actions help to ensure that an organization achieves and sustains a culture of security.

Principle-Based Protection: So what does it mean to protect stakeholder interests with respect to governing for enterprise security? An enterprise must select and institutionalize broad enterprise security principles to fully protect stakeholder interests. Enacted principles inform decisions thereby influencing strategies, plans, and policies. These actions create a culture of security throughout the enterprise. We have synthesized several credible and reputable sources of information security principles (see below) to clarify what it means to protect stakeholder interests.

These principles of enterprise security derive from foundational work performed by

American Chemistry Council [ACC 99, ACC 03]

Business Software Alliance [BSA 03]

Corporate Governance Task Force [CGTF 04]

Corporate Information Security Working Group [CISWG 04a, CISWG 04b]

Information Systems Security Association [ISSA 04]

Information Technology Governance Institute [ITGI 01, ITGI 04]

Institute of Internal Auditors [IIA 01]

International Standards Organization [ISO 00a, ISO 00b]

National Association of Corporate Directors [NACD 01]

National Institute of Standards and Technology [NIST 96, NIST 04]

Organisation for Economic Co-operation and Development [OECD 02]

Software Engineering Institute [CMMI 03]

These principles (listed below) represent a composite list; we expect that all principles are not applicable for all organizations. Organizations can use this list to select, interpret, prioritize, deploy, and reinforce statements of enterprise-security principles as manifestations of expected behaviors. To be effective and of greatest value, principle selections should be aligned with business objectives including the requirement to protect all stakeholder interests.

Principle descriptions in most of the references address the security of information. We expand these to address security of the extended enterprise that includes but is broader than information security.

Each of the principles is stated using the present tense, conveying what actions, behaviors, and conditions demonstrate the presence of the principle in the organization’s culture and conduct.

Accountability: The governing body (i.e. board of directors; trustees) is accountable for providing effective oversight of enterprise security. Management is responsible for ensuring effective execution of the agreed-to enterprise security program. Such accountability and responsibility is explicit, defined, acknowledged, and accompanied by the authority to act. Leadership accountability and responsibility for security are visible to all stakeholders.

Leaders (members of governing bodies and managers) possess the necessary knowledge, skills, and abilities to fulfill these responsibilities. Individual roles, responsibilities, authorities, and accountabilities are assigned. Leaders ensure that all stakeholders with access to enterprise networks understand their responsibilities with respect to enterprise security. Chief executives sponsor regular enterprise security evaluations, review the evaluation results with stakeholders as appropriate, and report on performance to the governing body, including a plan for remedial action to address any deficiencies.

Adequacy: "How much security is enough may be one of the most critical—and difficult to answer—questions" [IIA 01]. Investment in enterprise security protection strategies (principles, policies, procedures, processes, controls) is commensurate with risk. Determination of risk is based on the value, sensitivity, and criticality of the asset with respect to its vulnerability to loss, damage, disclosure, or denied/interrupted access. Probability, frequency, and severity of potential vulnerabilities are considered along with a comparison of the cost to reconstitute the asset versus the cost to protect it. Dan Geer suggests that one indicator for the right amount of security investment is how much collaboration you have, meaning the amount of information you have in play resulting from how open your network is to outside parties [Geer 04b]. Other indicators may include the degree and circumstances of critical asset exposure, or the range of tolerable to intolerable consequences resulting from a realized risk.

Leaders ensure that sufficient resources (people, time, equipment, facilities, funds) are authorized and allocated to achieve and sustain an adequate level of security.

Awareness: Leaders are aware of and understand the need to consider security from an enterprise-wide perspective, thus including it in their governance processes. They understand what actions are necessary to protect shareholder and stakeholder value with respect to security. They understand what enterprise-security actions are necessary to retain current customers and attract new customers.

All stakeholders are aware of enterprise security risks and protection strategies and understand their concomitant roles and responsibilities. Enterprise security awareness is demonstrated by the training and education provided to stakeholders who become authorized users of enterprise networks and by requiring periodic training for continued access. Employee position descriptions and agreements with stakeholders define security roles, responsibilities, skills, certifications, and agreements to comply with policy reflect awareness as well. Performance and partner reviews address how well security responsibilities are fulfilled.

Compliance: Enterprise security protection strategies are in compliance with legal and regulatory requirements, requirements of conducting business, and requirements established by external stakeholders. Oversight and actions necessary to objectively evaluate compliance (such as internal and external audits) are built into the enterprise security program. This includes regular monitoring, review, and reporting of compliance findings to affected and interested parties. Leaders ensure that a plan is developed to address remedial and timely action for any security deficiencies and ensure the plan is effectively executed.

Effectiveness: Actions to achieve and sustain adequate enterprise security are demonstrably aligned with enterprise objectives, critical success factors, and the mitigation of enterprise security risks. Security priorities and resources are determined based on this alignment. As a result, stakeholders view enterprise security in an enabling role, similar to audit, quality assurance, program management, and environmental protection [IIA 01]. Enterprise security is subject to continuous review, periodic testing, and an evaluation of its effectiveness as measured against enterprise objectives.

Ethics: Use of information, systems, and networks across an enterprise and by all stakeholders matches expectations established by social norms, obligations, being a responsible internet citizen, and enterprise codes of ethical conduct. Policies describing the ethical use of information address ownership, privacy, and prohibition of inappropriate use of information and systems to the detriment of an enterprise and its stakeholders. As a result, stakeholders are educated and thus respect the legitimate interests of others, understanding the extent to which their action or inaction may harm others, and the consequences of unethical behavior.

Inclusion: The perspective and requirements of all stakeholders are represented and considered in forming an enterprise security strategy and program. This includes an appropriate level of stakeholder involvement in the development and review of principles, policies, procedures, processes, and controls. Inclusion can be achieved through a range of communication and elicitation mechanisms such as web sites, newsletters, regional meetings and conferences, and working groups.

Individual Equity: Leaders implement enterprise security "in a manner consistent with the values of a democratic society including the freedom to exchange thoughts and ideas, the free flow of information, the confidentiality of information and communication, the appropriate protection of personal information, openness, and transparency" [OECD 02]. Qualified further, enterprise security "actions do not infringe upon the obligations, rights and needs of legitimate users when exercised within the legitimate parameters of the mission objectives" [ISSA 04].

Information Sharing: In response to the need for greater transparency and visibility, leaders are prepared to report the organization's security state to stakeholders when and where required, appropriately balanced with the risks of such disclosure. This includes ensuring that the right information is collected, retained, and communicated to the right parties at the right time. Forums for information sharing include those mentioned in Inclusion (above) as well as working with oversight, regulatory, and law enforcement agencies.

Measurement: Leaders articulate metrics that demonstrate the adequacy (or lack thereof) of enterprise security and the extent to which enterprise security actions are aligned with enterprise objectives. Such metrics indicate what leaders consider to be important. "What gets measured gets done. Metrics are about transforming policy into action and measuring performance. Visible metric scores provide a positive influence on human behavior by invoking the desire to succeed and compare favorably with one's peers. Metrics report how well policies and processes are functioning, and whether or not they are producing desired performance outcomes" [CISWG 04b]. Metrics are defined and regularly reported at the governing body, management, and technical levels of the enterprise. Performance measurement of an enterprise's security state is conducted with the same rigor as for other enterprise business units, functions, and processes.

Perspective/Scope: The perspective, scope, and breadth of security considerations is enterprise-wide. "Security consciousness exists at all levels. Security is a holistic issue, including corporate culture, people, training, processes, and communications (not just technical" concerns) [IIA 01]. A coherent system of integrated security protection strategies (principles, policies, procedures, processes, controls) exists to enact all of the principles described here and to ensure continuity of operations. "Security is a fundamental element of all products, services, systems, and networks" [OECD 02] and is considered at each phase of any development and asset life cycle. Staff and stakeholders understand that security is an essential business requirement and thus a characteristic or attribute of how the organization conducts itself.

Response: All accountable stakeholders act in a timely, coordinated manner to prevent or respond to threats to enterprise security and compromises of enterprise security. Such response requires developing and regularly exercising business continuity, disaster recovery, crisis management, and incident management plans so that the enterprise is adequately prepared in the face of an attack and is able to resume normal operations as quickly as possible.

Risk Management: Leaders continually review, assess, and modify enterprise security protection strategies in response to the dynamically changing risk environment in which they operate. This includes "potential harm that may originate from others or be caused by others" [OECD 02]. Leaders articulate acceptable levels of risk (tolerance, appetite, thresholds, assumptions for same) to enterprise assets based on their value, sensitivity, and criticality. Such levels are examined during regular review and assessment processes.

Costs of compromise (loss, damage, disclosure, denied/interrupted access, costs to reconstitute) are quantified to the extent possible as part of ongoing risk management. Controls are selected to effectively monitor and mitigate risk and their performance is regularly measured and reviewed. Plans for remedial action to address risk mitigation deficiencies are developed and executed following each assessment.

Stakeholder interests are most effectively protected by selecting a broad set of enterprise security principles, interpreting and tailoring these for the enterprise, and ensuring their use and enforcement in the normal course of business. These actions aid in ensuring a culture of security. Ultimately, protecting stakeholder interests is about engendering and preserving trust.

We welcome your critique and feedback on this article and any others in the Governing for Enterprise Security series. Please send your remarks to Julia Allen at jha@cert.org.

About the Author

Julia Allen is a senior member of the technical staff in the Networked Systems Survivability Program at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University in Pittsburgh, Pa. The CERT Coordination Center is also a part of this program.

Allen is engaged in developing and transitioning enterprise security frameworks and executive outreach programs in enterprise security and governance. Prior to this technical assignment, Allen served as acting director of the SEI for an interim period of six months as well as deputy director/chief operating officer for three years. Her degrees include a BSci in computer science (University of Michigan) and an MS in electrical engineering (University of Southern California). She is the author of The CERT Guide to System and Network Security Practices (Addison-Wesley, June 2001).

The views expressed in this article are the author's only and do not represent directly or imply any official position or view of the Software Engineering Institute or Carnegie Mellon University. This article is intended to stimulate further discussion about this topic.

The views expressed in this article are the author's only and do not represent directly or imply any official position or view of the Software Engineering Institute or Carnegie Mellon University. This article is intended to stimulate further discussion about this topic.